[prev in list] [next in list] [prev in thread] [next in thread]
List: cobalt-users
Subject: RE: [cobalt-users] Menuconf
From: "Andy Brown" <andy.brown () interv8 ! co ! uk>
Date: 2002-10-31 10:59:04
[Download RAW message or body]
<snip>
> > > Pardon my ignorance, but I just ran top on my RaQ2 and saw
> something
> called
> > > "menuconf" running and eating up a lot of my cpu. I've
> never seen this
>
> > You or one of your users must have accidentally placed that
> file there. It
> > won't affect your RaQ2 because it can't run there. It's
> part of DOS that
> > will only run with COMMAND.COM available on an INTEL
> architecture. You
> have
> > MIPS machine with Linux.
>
> Since it is showing up in TOP, then it means it's running and
> its a valid
> Linux binary and nothing like a DOS command. What I feel is
> that it might be
> something related to the LCD menu for the Cobalt RAQs. Please
> check whether
> someone had kept the RaQ's menu in ON state. If this is the
> case then most
> probably that might be the reason for it taking high CPU as
> might be waiting
> for the user input. In that case just close the menu and thats it.
</snip>
From what I recall there are no 'menuconf' programs on any of the RaQ's, so i'd be \
wary of this process to a degree. This could be a backdoor process running, so i'd \
first find out what ownership its running under by doing: ps ux
and see if its running under root or another user. If its by root, then its either: a \
root admin ran the process, the cobalt itself ran the process, a malicious user \
gained root and ran it. Then do a
netstat -anp
and look to see if the process is listening/communicating on a port, if so make a \
note of the port number tcp/udp, etc so you can do some web searches. If it is \
listening/communicating on a port then I'd be a lot more suspicious of it, AFAIK no \
cobalt processes (apart from the obvious, httpd, sendmail, etc) should \
listen/establish communication ports.
kill -9 the process, and track down the binary using find
Hopefully its an innocent user, but may be worth doing some chkrootkit checks aswell \
just to be safe.
Regards,
Andy
andy@raqpak.com
http://www.raqpak.com <-- Unofficial FAQs and PKGs
_____________________________________
cobalt-users mailing list
cobalt-users@list.cobalt.com
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic